|
iptables formerly known as ipchains is a command line interface that controls access rules for netfilter. netfilter is a packet filtering frame work for the 2.4 and later series linux kernel. i.e. the firewall.
By default there are no rules and the policies are to ACCEPT all traffic inbound and outbound.
These terms are important to know when working with iptables:
- Tables - a container for the chains
- Chains - the direction of the packet
- Targets - what is going to happen to the packet
These are important.
|
|
|
|
CREATED 2019-04-26 00:44:59.0
|
007-00-00-DC
|
UPDATED 2020-03-05 12:26:41.0
|
|
|
|
Tables (hence iptables):
- filter - this is the default. If you don't specify a table it goes here.
- mangle contains rules to
mangle packet headers
- nat rules for Network Address Translation
- raw rules for packets regardless of state.
You can also create custom tables. In the rule the -j parameter is for jump which can be another table.
|
|
|
|
CREATED 2019-04-25 19:24:04.0
|
007-00-00-D8
|
UPDATED 2020-03-05 12:26:37.0
|
|
|
|
Chains operate within the tables.
|
|
|
|
CREATED 2019-04-25 19:24:23.0
|
007-00-00-D9
|
UPDATED 2020-03-05 12:26:32.0
|
|
|
|
iptables -t filter -A INPUT -m connlimit ...
Use extensions with the -m or match argument.
This example will load the connlimit module.
|
|
|
|
CREATED 2019-04-25 19:42:37.0
|
007-00-00-DA
|
UPDATED 2020-03-05 12:26:25.0
|
|
|
|
connlimit limits connections
From the iptables man pages:
- --connlimit-upto n number of existing connections is below n
- --connlimit-above n number of exiting connections
- --conlimit-mask 0-32 the subnet mask
- --conlimit-saddr apply the rule to the source
- --conlimit-daddr apply the rule to the destination
|
|
|
|
CREATED 2019-04-25 19:42:54.0
|
007-00-00-DB
|
UPDATED 2020-03-05 12:26:21.0
|
|
|
|
1 routeA 2 routeB allow-hotplug eth0 iface eth0 inet static address 192.168.1.94/24 gateway 192.168.1.1 post-up ip route add 192.168.1.0/24 dev eth0 src 192.168.1.94 table routeA post-up ip route add default via 192.168.1.1 dev eth0 table routeA post-up ip rule add from 192.168.1.94/32 table routeA post-up ip rule add to 192.168.1.95/32 table routeA allow-hotplug eth1 iface eth1 inet static address 192.168.2.36/24 gateway 192.168.2.1 post-up ip route add 192.168.2.0/24 dev eth0 src 192.168.2.36 table routeB post-up ip route add default via 192.168.2.1 dev eth0 table routeB post-up ip rule add from 192.168.2.36/32 table routeB post-up ip rule add to 192.168.2.36/32 table routeB
The situation. We have a multihomed machine that operates on two different networks.
- Network A - 192.168.1.0/24
- Network B - 192.168.2.0/24
We must do three things to address this situation:
- Create two routing tables - done in the
/etc/iproute2/rt_tables
- Add a route to the interfaces file for each interface
- Add a rule to the interfaces file for each nic.
First the tables file... in the /etc/iproute2/rt_tables file add two lines...
This indicates that route 1 is routeA and route 2 is routeB
Next add the routes to the /etc/network/interfaces file for the first network card (eth0) that will operate on routeA i.e. 192.168.1.0.
This tells the system to use eth0 for anything addresses to or from 192.168.1.0/24.
Next in the same file add a second stanza, routes and rules to address the second network (192.168.2.0/32).
|
|
|
|
CREATED 2020-03-05 12:25:31.0
|
010-00-00-92
|
UPDATED 2020-03-05 12:26:15.0
|
|
|
